亚马逊AWS官方博客
通过 AWS Lambda 和 AutoScaling 实现高可用的企业全球一张网(三)
本文为通过 AWS Lambda 和 AutoScaling 实现高可用的企业全球一张网系列文章:
- 通过 AWS Lambda 和 AutoScaling 实现高可用的企业全球一张网(一)
- 通过 AWS Lambda 和 AutoScaling 实现高可用的企业全球一张网(二)
- 通过 AWS Lambda 和 AutoScaling 实现高可用的企业全球一张网(三)
本文为系列文章的第三篇。
1. 概述
随着企业全球拓展或企业并购,需要实现企业在云上多个区域的全球组网,同时由于早期缺乏规划或并购可能出现IP地址冲突,本文提供一种组网方案,利用动态路由及NAT解决全网互联互通需求。本文是方案的第三部分,介绍了新加坡/弗吉尼亚/法兰克福区域中如何实现Vyos VPN Instance高可用的两种方法:
- 第一种方法通过Lambda和auto scaling来实现VPC中单台Vyos VPN Instance在实例故障情况下的高可用
- 附录4介绍了如何通过Lambda实现VPC中多台Vyos VPN Instance间的路由切换,从而实现高可用
1.1. 拓扑图
2. Vyos Instance高可用及网络自愈
在本文的第一第二部分,我们实现全网互联互通。但方案中新加坡/法兰克福/弗吉尼亚区域中的Vyos Instance存在单点故障,一旦出现问题后需要人为手工排查。接下来本文将描述通过AutoScaling、CloudWatch、Lambda实现网络的自修复功能,考虑成本情况下,本方案采用单实例提供网络自愈,故障恢复期间会出现3分钟左右网络中断,如需要求更低网络中断时间,可以参考附件4在每个Region建立两台Vyos instance,通过Lambda监控vyos instance状态和网络连通性,如果vyos出现故障,调用lambda切换本地路由表到另外一台vyos(此部分本方案暂不做详细描述,参见附录4 lambda示例供参考)。
由于AMI keypair问题,本实验中无法直接使用已完成配置的vyos instance创建自定义AMI(用户可参考https://github.com/vyos/build-ami自行创建自有AMI)。因此本方案中采用新建Vyos Instance(不对Vyos进行任何配置),直接添加到AutoScaling Group,通过cloudWatch 事件触发Lambda由Lambda完成Vyos的配置。当Vyos instance出现故障时,Autoscaling会自动生成一个新的Instance,由CloudWatch事件触发Lambda完成Vyos Instance Disable Source/Dest.Check,EIP reassociated,Route Table replace,Vyos VPN和BGP配置。
2.1. 创建AutoScaling
省略vyos instance创建过程(可参见本方案第3节)。
下图中Desired、Min、Max均设为1,Subnets建议选择不同AZ的多个subnet已提供容灾。
右侧下拉条拖至底部,建议修改Defualt Cooldown值,减少网络中断时间。
2.2. 创建Lambda函数文件
通过LAMBDA远程链接Vyos需要用到paramiko库的ssh组件,需要import此库。远程链接Vyos Instance需要用到Keypair,将对应Instance的Keypair与Lambda函数文件一起打包上传到Lambda控制台。
参考如下链接在Linux上准备Lambda打包环境。
本方案采用Centos系统作为Lambda打包环境
- 激活虚拟环境
manivannan@manivannan:~$ virtualenv -p /usr/bin/python3.6 BSoup
# The last BSoup is name of virtualenvironment
# Activate your virtual environment using below command
manivannan@manivannan:~$ source BSoup/bin/activate
需要记住虚拟环境的安装目录。
- 虚拟环境中安装Paramiko库
参考如下链接安装paramiko库
https://davidwzhang.com/2016/09/03/install-python-paramiko-at-centos-7/
- 编写Lambda函数文件
每个region的Vyos需要一个独立的lambda函数文件。
Singapore Lambda 函数文件参见附录1
FrankFurt Lambda 函数文件参见附录2
Virginia Lambda 函数文件参见附录3
- 打包Lambda函数文件
注意Zip 命令最后不要用*,使用. 即可以将目录下的所有文件打包为一个压缩包。使用*会有报错。
2.3. 创建Lambda
进入Lambda服务console,选择Create Function
选择Author From Scratch,Runtime选择您用的语言,本方案中使用Python2.7,需要为Lambda执行授予权限,创建一个Role,赋予LambdafullAccess policy(此过程本方案不描述,用户可上官网搜索如何创建Role)。
在Function code 部分,conde entry type选择upload a .zip file,点击Upload,找到编写的lambda函数文件的压缩包。修改Handler,前缀为lambda函数文件名,如Sinvyos.py,则此处应修改为Sinvyos.lambda_handler
在Basic Settings部分,调整函数Timeout时间,此处调整为3分钟足够。
点击顶部Save按钮,保存Lambda函数。
2.4. 创建CloudWatch Event
如果需要可以添加额外的Target,如SNS Topic,当AutoScaling成功 Launch Instance时除出发Lambda推送相关配置外,也可以发送信息到SNS,通知到相关人员。
至此我们已经完成Lambda和Autoscaling的配置,实现了Vyos Instance的高可用。通过终止原有的Vyos Instance,我们可以观察Lambda和Autoscaling是如何重建和重新配置Vyos Instance,并恢复网络连接的。
3. 附录1: Singapore站点 LAMBDA配置文件
import paramiko
import IPy
import boto3
import time
import json
print('import susscess')
def lambda_handler(event, context):
print('connect to aws & get instance id from event')
ec2 = boto3.resource('ec2',region_name='ap-southeast-1')
client = boto3.client('ec2',region_name='ap-southeast-1')
print(event['detail']['EC2InstanceId'])
InstanceId = event['detail']['EC2InstanceId']
i = ec2.Instance(InstanceId)
#####define parameter for associate EIP and route items#####
print('assoicate EIP to vyos EC2')
vyosEIPId = 'eipalloc-09ae1fe7a21bdc5cd' #### please replace with your EIP ID
vyosRTId = 'rtb-082c17d9d72423a92' ##### please replace with your rtb
vyosRouteItem = '172.88.128.0/18' ##### please replace with your network items
vyosRouteItem1 = '172.88.64.0/18' ##### please replace with your network items
vyosRouteItem2 = '172.88.192.0/18' ##### please replace with your network items
##### define parameter for BGP ASN #####
bgpASN = '65400' ###### please replace with your local ASN
bgpRemoteASN ='64550' #### please replace with your remote ASN
##### define parameter for keypair and hostname #####
KeyPair = './xxxxx.pem'。#### please replace with your ec2 keypair
hostname = 'SingVyos' ####please replace with your hostname
##### define parameter for VPN IP & vpn share-secret Parameter #####
tgwpublicIP1='x.x.x.x' #please replace ip with the real ip of tgw public ip1
tgwpublicIP2='x.x.x.x' #please replace ip with the real ip of tgw public ip2
tgwtunnelIP1='x.x.x.x' #please replace ip with the real ip of tgw tunnel 1
tgwtunnelIP2='x.x.x.x' #please replace ip with the real ip of tgw tunnel 2
cgwtunnelIP1='x.x.x.x' #please replace ip with the real ip of cgw tunnel 1
cgwtunnelIP2='x.x.x.x' #please replace ip with the real ip of cgw tunnel 2
presharesecret1=’xxxxxxxxxxxxxxx' # please replace xxxxxx with tunnel 1 pre-share-secret
presharesecret2='xxxxxxxxxxxxxxx' # please replace yyyyyy with tunnel 2 pre-share-secret
bgpnetwork1='172.88.0.0/24' #please replace network with your publicsubnet1 network
bgpnetwork2='172.88.1.0/24' #please replace network with your publicsubnet2 network
bgpnetwork3='172.88.2.0/24' #please replace network with your publicsubnet3 network
pubsubGW1 = '172.88.0.1' # please replace network with your publicsubnet1 gateway
pubsubGW2 = '172.88.1.1' # please replace network with your publicsubnet2 gateway
pubsubGW3 = '172.88.2.1' # please replace network with your publicsubnet3 gateway
##### define overlapip and NAT parameters #####
localNatIP ='10.0.1.0/24' #please replace with localsourceIP pool
remoteNatIP ='192.168.1.0/24' #please replace with remoteDestinationIP pool
overlapIP ='172.88.88.0/24' #please replace with the overlap IP
##### execute reassociate eip to vyos instance #####
client.associate_address(InstanceId=InstanceId,AllocationId =vyosEIPId)
##### execute function disable source/dest check #####
print('disable instance source/dest check')
client.modify_instance_attribute(SourceDestCheck={'Value':False},InstanceId=InstanceId)
##### function replace RTB items with new vyos instance #####
print('update route table')
client.replace_route(DestinationCidrBlock=vyosRouteItem,RouteTableId=vyosRTId,InstanceId=InstanceId)
client.replace_route(DestinationCidrBlock=vyosRouteItem1,RouteTableId=vyosRTId,InstanceId=InstanceId)
client.replace_route(DestinationCidrBlock=vyosRouteItem2,RouteTableId=vyosRTId,InstanceId=InstanceId)
client.replace_route(DestinationCidrBlock=remoteNatIP,RouteTableId=vyosRTId,InstanceId=InstanceId)
##### execute function get private&public IP #####
print('get instance private&public ip')
privateIP = i.private_ip_address
print(privateIP)
publicIP = i.public_ip_address
print(publicIP)
##### execute function to decide the private ip of vyos instance in which subnet #####
insub1= privateIP in IPy.IP(bgpnetwork1)
insub2= privateIP in IPy.IP(bgpnetwork2)
insub3= privateIP in IPy.IP(bgpnetwork3)
if insub1 == True:
staticGW = pubsubGW1
elif insub2 == True:
staticGW = pubsubGW2
elif insub3 == True:
staticGW = pubsubGW3
###### execute function connect vyos #####
k = paramiko.RSAKey.from_private_key_file(KeyPair)
c = paramiko.SSHClient()
c.set_missing_host_key_policy(paramiko.AutoAddPolicy())
print('before connect')
c.connect( hostname = publicIP,username = 'vyos',pkey = k)
print(c.connect)
print('connect success')
##### push VYOS configuration including basic and vpn and bgp into VYOS instance#####
command = """
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set system host-name """+hostname+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS lifetime '28800'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS proposal 1 dh-group '2'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS ikev2-reauth no
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS key-exchange ikev1
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" authentication
mode 'pre-shared-secret'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" authentication
pre-shared-secret '"""+presharesecret1+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" description 'VP
C tunnel 1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" ike-group 'AWS'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" vti bind 'vti0'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" vti esp-group '
AWS'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" authentication
id """+publicIP+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" local-address '
"""+privateIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" ikev2-reauth in
herit
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" connection-type
initiate
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ipsec-interfaces interface 'eth0'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS compression 'disable'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS lifetime '3600'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS mode 'tunnel'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS pfs 'enable'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS dead-peer-detection interval '15'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti0 address '"""+cgwtunnelIP1+"""/30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti0 description 'VPC tunnel 1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti0 mtu '1436'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP1+""" remot
e-as '"""+bgpRemoteASN+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP1+""" soft-
reconfiguration 'inbound'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP1+""" timer
s holdtime '30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP1+""" timer
s keepalive '10'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" network """+bgpnetwork1+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" network """+bgpnetwork2+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" network """+bgpnetwork3+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" authentication
mode 'pre-shared-secret'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" authentication
pre-shared-secret '"""+presharesecret2+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" description 'VP
C tunnel 2'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" ike-group 'AWS'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" vti bind 'vti1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" vti esp-group '
AWS'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" authentication
id """+publicIP+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" local-address '
"""+privateIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" ikev2-reauth in
herit
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" connection-type
initiate
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti1 address '"""+cgwtunnelIP2+"""/30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti1 description 'VPC tunnel 2'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti1 mtu '1436'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP2+""" remot
e-as '"""+bgpRemoteASN+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP2+""" soft-
reconfiguration 'inbound'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP2+""" timer
s holdtime '30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP2+""" timer
s keepalive '10'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static route """+bgpnetwork1+""" next-hop """+staticGW
+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static route """+bgpnetwork2+""" next-hop """+staticGW
+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static route """+bgpnetwork3+""" next-hop """+staticGW
+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static route """+overlapIP+""" next-hop """+staticGW+"
""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 33 destination address '"""+localNatIP+
"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 33 inbound-interface 'vti0'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 33 protocol 'all'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 33 source address !'"""+localNatIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 33 translation address '"""+overlapIP+"
""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 33 destination address !'"""+localNatIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 33 outbound-interface 'vti0'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 33 protocol 'all'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 33 source address '"""+overlapIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 33 translation address '"""+localNatIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 32 destination address '"""+localNatIP+
"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 32 inbound-interface 'vti1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 32 protocol 'all'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 32 source address !'"""+localNatIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 32 translation address '"""+overlapIP+"
""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 32 destination address !'"""+localNatIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 32 outbound-interface 'vti1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 32 protocol 'all'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 32 source address '"""+overlapIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 32 translation address '"""+localNatIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static route """+localNatIP+""" next-hop """+cgwtunnel
IP1+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static route """+localNatIP+""" next-hop """+cgwtu
nnelIP2+""" distance 110
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" network """+localNatIP+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper save
"""
print(command)
stdin,stdout,stderr=c.exec_command(command)
print ''.join(stdout)
c.close()
4. 附录2: Frankfurt站点 LAMBDA配置文件
import paramiko
import IPy
import boto3
import time
import json
print('import susscess')
def lambda_handler(event, context):
print('connect to aws & get instance id from event')
ec2 = boto3.resource('ec2',region_name='eu-central-1')
client = boto3.client('ec2',region_name='eu-central-1')
print(event['detail']['EC2InstanceId'])
InstanceId = event['detail']['EC2InstanceId']
i = ec2.Instance(InstanceId)
##### function associate EIP #####
print('assoicate EIP to vyos EC2')
vyosEIPId = 'eipalloc-xxxx' #### please replace with your EIP ID
vyosRTId = 'rtb-070e25ef3b42142be' ##### please replace with your rtb
vyosRouteItem = '172.88.128.0/18' ##### please replace with your network items
vyosRouteItem1 = '172.88.64.0/18' ##### please replace with your network items
vyosRouteItem2 = '172.88.0.0/18' ##### please replace with your network items
vyosRouteItemoverlap1 = '10.0.1.0/24' #### replace with singapore localnat subnet
vyosRouteItemoverlap2 = '192.168.1.0/24' ### replace with virginia localnat subnet
bgpASN = '65300' ###### please replace with your local ASN
bgpRemoteASN ='64550' #### please replace with your remote ASN
KeyPair = './xxxxx.pem'
hostname = 'FrankVyos'
##### VPN IP & presharesecret Parameter #####
tgwpublicIP1=x.x.x.x' #please replace ip with the real ip of tgw public ip1
tgwpublicIP2='x.x.x.x' #please replace ip with the real ip of tgw public ip2
tgwtunnelIP1='169.254.15.117' #please replace ip with the real ip of tgw tunnel 1
tgwtunnelIP2='169.254.14.253' #please replace ip with the real ip of tgw tunnel 2
cgwtunnelIP1='169.254.15.118' #please replace ip with the real ip of cgw tunnel 1
cgwtunnelIP2='169.254.14.254' #please replace ip with the real ip of cgw tunnel 2
presharesecret1='xxxxxxxxxxx' # please replace xxxxxx with tunnel 1 pre-share-secret
presharesecret2='xxxxxxxxxxx' # please replace yyyyyy with tunnel 2 pre-share-secret
bgpnetwork1='172.88.192.0/24' #please replace network with your publicsubnet1 network
bgpnetwork2='172.88.193.0/24' #please replace network with your publicsubnet2 network
bgpnetwork3='172.88.194.0/24' #please replace network with your publicsubnet3 network
pubsubGW1 = '172.88.192.1' # please replace network with your publicsubnet1 gateway
pubsubGW2 = '172.88.193.1' # please replace network with your publicsubnet2 gateway
pubsubGW3 = '172.88.194.1' # please replace network with your publicsubnet3 gateway
##### reassociate EIP #####
client.associate_address(InstanceId=InstanceId,AllocationId =vyosEIPId)
##### function disabel source/dest check #####
print('disable instance source/dest check')
client.modify_instance_attribute(SourceDestCheck={'Value':False},InstanceId=InstanceId)
##### function replace RTB #####
print('update route table')
client.replace_route(DestinationCidrBlock=vyosRouteItem,RouteTableId=vyosRTId,InstanceId=InstanceId)
client.replace_route(DestinationCidrBlock=vyosRouteItem1,RouteTableId=vyosRTId,InstanceId=InstanceId)
client.replace_route(DestinationCidrBlock=vyosRouteItem2,RouteTableId=vyosRTId,InstanceId=InstanceId)
client.replace_route(DestinationCidrBlock=vyosRouteItemoverlap1,RouteTableId=vyosRTId,InstanceId=InstanceId)
client.replace_route(DestinationCidrBlock=vyosRouteItemoverlap2,RouteTableId=vyosRTId,InstanceId=InstanceId)
####### function get private&public IP
print('get instance private&public ip')
privateIP = i.private_ip_address
print(privateIP)
publicIP = i.public_ip_address
print(publicIP)
####### decide the private ip of instance in which subnet
insub1= privateIP in IPy.IP(bgpnetwork1)
insub2= privateIP in IPy.IP(bgpnetwork2)
insub3= privateIP in IPy.IP(bgpnetwork3)
if insub1 == True:
staticGW = pubsubGW1
elif insub2 == True:
staticGW = pubsubGW2
elif insub3 == True:
staticGW = pubsubGW3
###### function connect vyos
k = paramiko.RSAKey.from_private_key_file(KeyPair)
c = paramiko.SSHClient()
c.set_missing_host_key_policy(paramiko.AutoAddPolicy())
print('before connect')
c.connect( hostname = publicIP,username = 'vyos',pkey = k)
print(c.connect)
print('connect success')
#####define VPN parameter
#####print('hostname='+hostname)
command = """
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set system host-name """+hostname+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS lifetime '28800'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS proposal 1 dh-group '2'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS ikev2-reauth no
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS key-exchange ikev1
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" authentication
mode 'pre-shared-secret'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" authentication
pre-shared-secret '"""+presharesecret1+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" description 'VP
C tunnel 1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" ike-group 'AWS'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" vti bind 'vti0'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" vti esp-group '
AWS'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" authentication
id """+publicIP+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" local-address '
"""+privateIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" ikev2-reauth in
herit
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" connection-type
initiate
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ipsec-interfaces interface 'eth0'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS compression 'disable'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS lifetime '3600'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS mode 'tunnel'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS pfs 'enable'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS dead-peer-detection interval '15'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti0 address '"""+cgwtunnelIP1+"""/30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti0 description 'VPC tunnel 1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti0 mtu '1436'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP1+""" remot
e-as '"""+bgpRemoteASN+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP1+""" soft-
reconfiguration 'inbound'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP1+""" timer
s holdtime '30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP1+""" timer
s keepalive '10'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" network """+bgpnetwork1+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" network """+bgpnetwork2+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" network """+bgpnetwork3+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" authentication
mode 'pre-shared-secret'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" authentication
pre-shared-secret '"""+presharesecret2+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" description 'VP
C tunnel 2'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" ike-group 'AWS'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" vti bind 'vti1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" vti esp-group '
AWS'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" authentication
id """+publicIP+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" local-address '
"""+privateIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" ikev2-reauth in
herit
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" connection-type
initiate
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti1 address '"""+cgwtunnelIP2+"""/30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti1 description 'VPC tunnel 2'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti1 mtu '1436'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP2+""" remot
e-as '"""+bgpRemoteASN+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP2+""" soft-
reconfiguration 'inbound'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP2+""" timer
s holdtime '30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP2+""" timer
s keepalive '10'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static route """+bgpnetwork1+""" next-hop """+staticGW
+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static route """+bgpnetwork2+""" next-hop """+staticGW
+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static route """+bgpnetwork3+""" next-hop """+staticGW
+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper save
"""
print(command)
stdin,stdout,stderr=c.exec_command(command)
print ''.join(stdout)
c.close()
5. 附录3: Virginia站点 LAMBDA配置文件
import paramiko
import IPy
import boto3
import time
import json
print('import susscess')
def lambda_handler(event, context):
print('connect to aws & get instance id from event')
ec2 = boto3.resource('ec2',region_name='us-east-1')
client = boto3.client('ec2',region_name='us-east-1')
print(event['detail']['EC2InstanceId'])
InstanceId = event['detail']['EC2InstanceId']
i = ec2.Instance(InstanceId)
####### function associate EIP
print('assoicate EIP to vyos EC2')
vyosEIPId = 'eipalloc-xxxxxxx' #### please replace with your EIP ID
vyosRTId = 'rtb-xxxxx' ##### please replace with your rtb
vyosRouteItem = '172.88.0.0/18' ##### please replace with your network items
vyosRouteItem1 = '172.88.64.0/18' ##### please replace with your network items
vyosRouteItem2 = '172.88.192.0/18' ##### please replace with your network items
bgpASN = '65200' ###### please replace with your local ASN
bgpRemoteASN ='64550' #### please replace with your remote ASN
KeyPair = './xxxxx.pem'
hostname = 'VirgVyos'
####### VPN IP & Key Parameter
tgwpublicIP1='x.x.x.x' #please replace ip with the real ip of tgw public ip1
tgwpublicIP2='x.x.x.x' #please replace ip with the real ip of tgw public ip2
tgwtunnelIP1='169.254.14.5' #please replace ip with the real ip of tgw tunnel 1
tgwtunnelIP2='169.254.12.177' #please replace ip with the real ip of tgw tunnel 2
cgwtunnelIP1='169.254.14.6' #please replace ip with the real ip of cgw tunnel 1
cgwtunnelIP2='169.254.12.178' #please replace ip with the real ip of cgw tunnel 2
presharesecret1='xxxxxxxxxxxxxx' # please replace xxxxxx with tunnel 1 pre-share-secret
presharesecret2='xxxxxxxxxxxxxx' # please replace yyyyyy with tunnel 2 pre-share-secret
bgpnetwork1='172.88.128.0/24' #please replace network with your publicsubnet1 network
bgpnetwork2='172.88.129.0/24' #please replace network with your publicsubnet2 network
bgpnetwork3='172.88.130.0/24' #please replace network with your publicsubnet3 network
pubsubGW1 = '172.88.128.1' # please replace network with your publicsubnet1 gateway
pubsubGW2 = '172.88.129.1' # please replace network with your publicsubnet2 gateway
pubsubGW3 = '172.88.130.1' # please replace network with your publicsubnet3 gateway
####### define NAT parameters
#localNatTunnelIP = '169.254.1.1' #please replace with localnatinterface ip
#remoteNatTunnelIP = '169.254.1.2' #please replace with remotenatinterface ip
#remoteNatPublicIP ='54.187.203.134' # please replace with the remoteNatPublicIP
localNatIP ='192.168.1.0/24' #please replace with localsourceIP pool
remoteNatIP ='10.0.1.0/24' #please replace with remoteDestinationIP pool
overlapIP ='172.88.88.0/24' #please replace with the overlap IP
####### resource level api
#print(vyosEIP)
#address = ec2.VpcAddress(vyosEIP)
#address.associate(InstanceId)
####### client level api
client.associate_address(InstanceId=InstanceId,AllocationId =vyosEIPId)
####### function disabel source/dest check
####### client level api
print('disable instance source/dest check')
client.modify_instance_attribute(SourceDestCheck={'Value':False},InstanceId=InstanceId)
####### function replace RTB
####### client level api
print('update route table')
client.replace_route(DestinationCidrBlock=vyosRouteItem,RouteTableId=vyosRTId,InstanceId=InstanceId)
client.replace_route(DestinationCidrBlock=vyosRouteItem1,RouteTableId=vyosRTId,InstanceId=InstanceId)
client.replace_route(DestinationCidrBlock=vyosRouteItem2,RouteTableId=vyosRTId,InstanceId=InstanceId)
client.replace_route(DestinationCidrBlock=remoteNatIP,RouteTableId=vyosRTId,InstanceId=InstanceId)
####### function get private&public IP
print('get instance private&public ip')
privateIP = i.private_ip_address
print(privateIP)
publicIP = i.public_ip_address
print(publicIP)
####### decide the private ip of instance in which subnet
insub1= privateIP in IPy.IP(bgpnetwork1)
insub2= privateIP in IPy.IP(bgpnetwork2)
insub3= privateIP in IPy.IP(bgpnetwork3)
if insub1 == True:
staticGW = pubsubGW1
elif insub2 == True:
staticGW = pubsubGW2
elif insub3 == True:
staticGW = pubsubGW3
###### function connect vyos
k = paramiko.RSAKey.from_private_key_file(KeyPair)
c = paramiko.SSHClient()
c.set_missing_host_key_policy(paramiko.AutoAddPolicy())
print('before connect')
c.connect( hostname = publicIP,username = 'vyos',pkey = k)
print(c.connect)
print('connect success')
#####define VPN parameter
#####print('hostname='+hostname)
command = """
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set system host-name """+hostname+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS lifetime '28800'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS proposal 1 dh-group '2'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS ikev2-reauth no
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS key-exchange ikev1
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" authentication
mode 'pre-shared-secret'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" authentication
pre-shared-secret '"""+presharesecret1+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" description 'VP
C tunnel 1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" ike-group 'AWS'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" vti bind 'vti0'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" vti esp-group '
AWS'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" authentication
id """+publicIP+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" local-address '
"""+privateIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" ikev2-reauth in
herit
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP1+""" connection-type
initiate
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ipsec-interfaces interface 'eth0'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS compression 'disable'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS lifetime '3600'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS mode 'tunnel'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS pfs 'enable'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS dead-peer-detection interval '15'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti0 address '"""+cgwtunnelIP1+"""/30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti0 description 'VPC tunnel 1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti0 mtu '1436'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP1+""" remot
e-as '"""+bgpRemoteASN+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP1+""" soft-
reconfiguration 'inbound'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP1+""" timer
s holdtime '30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP1+""" timer
s keepalive '10'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" network """+bgpnetwork1+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" network """+bgpnetwork2+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" network """+bgpnetwork3+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" authentication
mode 'pre-shared-secret'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" authentication
pre-shared-secret '"""+presharesecret2+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" description 'VP
C tunnel 2'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" ike-group 'AWS'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" vti bind 'vti1'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" vti esp-group '
AWS'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" authentication
id """+publicIP+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" local-address '
"""+privateIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" ikev2-reauth in
herit
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set vpn ipsec site-to-site peer """+tgwpublicIP2+""" connection-type
initiate
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti1 address '"""+cgwtunnelIP2+"""/30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti1 description 'VPC tunnel 2'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set interfaces vti vti1 mtu '1436'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP2+""" remot
e-as '"""+bgpRemoteASN+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP2+""" soft-
reconfiguration 'inbound'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP2+""" timer
s holdtime '30'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" neighbor """+tgwtunnelIP2+""" timer
s keepalive '10'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static route """+bgpnetwork1+""" next-hop """+staticGW
+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static route """+bgpnetwork2+""" next-hop """+staticGW
+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static route """+bgpnetwork3+""" next-hop """+staticGW
+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static route """+overlapIP+"""
next-hop """+staticGW+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 33 destination address '"""+localNatIP+
"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 33 inbound-interface 'vti0'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 33 protocol 'all'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 33 source address '"""+remoteNatIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat destination rule 33 translation address '"""+overlapIP+"
""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 33 destination address '"""+remoteNatIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 33 outbound-interface 'vti0'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 33 protocol 'all'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 33 source address '"""+overlapIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set nat source rule 33 translation address '"""+localNatIP+"""'
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols static route """+localNatIP+""" next-hop """+cgwtunnel
IP1+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set protocols bgp """+bgpASN+""" network """+localNatIP+"""
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper save
"""
print(command)
stdin,stdout,stderr=c.exec_command(command)
print ''.join(stdout)
c.close()
6. 附录4:多Vyos Instance 切换路由Lambda示例
import boto3
import time
import json
print('import susscess')
def lambda_handler(event, context):
InstanceId = 'i-051d0dff18c89cb9c'
InstanceId2 = 'i-0afa9ea4f8e3f6ec4'
vyosRTId = 'rtb-0e3bbe044626f606f' ##### please replace with your rtb
vyosRouteItem1 = '172.50.0.0/16' ##### please replace with your network items
vyosRouteItem2 = '172.62.0.0/16'
vyosRouteItem3 = '172.61.0.0/16'
vyosRouteItem4 = '172.51.0.0/16'
client = boto3.client('ec2',region_name='us-west-1')
if InstanceId == event['detail']['instance-id'] :
InstanceId = InstanceId2
print(event['detail']['instance-id'])
print(InstanceId)
####### function replace RTB
####### client level api
print('update route table')
client.replace_route(DestinationCidrBlock=vyosRouteItem1,RouteTableId=vyosRTId,InstanceId=InstanceId)
client.replace_route(DestinationCidrBlock=vyosRouteItem2,RouteTableId=vyosRTId,InstanceId=InstanceId)
client.replace_route(DestinationCidrBlock=vyosRouteItem3,RouteTableId=vyosRTId,InstanceId=InstanceId)
client.replace_route(DestinationCidrBlock=vyosRouteItem4,RouteTableId=vyosRTId,InstanceId=InstanceId)